OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: dethy (dethysynnergy.net)
Date: Mon May 28 2001 - 04:46:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Solaris mailtool(1)

    Date Published: May 29, 2001

    Advisory ID: N/A

    Bugtraq ID: N/A

    Sun Bug ID: 4458476

    CVE CAN: Non currently assigned.

    Title: Solaris mailtool(1) Buffer Overflow Vulnerability

    Class: Boundary Error Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerable Packages/Systems:

    Solaris 8 x86
    Solaris 8 sparc
    [possibly others]

    Discovery: dethysynnergy.net

    Synopsis:

    The mailtool program is installed setgid mail by default in Solaris,
    a buffer overrun exists in the OPENWINHOME environment variable. By
    specifying a long environment buffer containing machine executable code,
    it is possible to execute arbitrary command(s) as gid mail.

    Analysis:

    The vulnerability in mailtool incorrectly handles data from the
    OPENWINHOME environment variable, if this variable exceeds a predefined
    length a stack overflow can occur.

     bash-2.03# export OPENWINHOME=`perl -e 'print "A"x1010'`
     bash-2.03# mailtool
     Segmentation Fault

     `truss` output:
        Incurred fault #6, FLTBOUNDS %pc = 0xDF8BD448
        siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D
        Received signal #11, SIGSEGV [default]
        siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D
        *** process killed ***

    Quick Fix:

    Clear the sgid bit off the /usr/openwin/bin/mailtool program.
    chmod -s `which mailtool`

    Solution/Vendor:

    Sun Microsystems was notified on May 14, 2001 and verified the
    vulnerability. Patches/fixes are shortly to be released.

    Related Links:

    This vulnerability is unrelated to the Solaris 7/8 ximp40 shared library
    overflow discovered earlier in the year:
    http://www.securityfocus.com/archive/1/159586

    Credits :

    Vulnerability discovered by dethy (dethysynnergy.net)

    Synnergy Networks http://www.synnergy.net